alt.comp.virus Frequently Asked Questions
February 1995
DISCLAIMER: I assume no responsibility for any misuse of the items contained
within this FAQ.
Table of Contents
I. Preface
There have been several posts in alt.comp.virus, asking why there wasn't an
alt.comp.virus FAQ. I decided that was enough and set out to start writing it.
As with all FAQs it is not complete and won't cover every question, but, that's
why it's open for improvement. So any thing you would like to see added,
including the debates, send to:
danishm@iia.org.
A. Definitions of viruses and other types of electronic "life"
1. What is a virus?
A virus is a program that contains the ability to replicate. It has the ability
to spread itself through many computers. It does this by using the DOS and
BIOS interrupts, generally. (Other types of disk access will be discussed later
and are also found in VLAD#3.) It requires other programs to be able to spread,
which makes it different from a worm.
2. What is a worm?
A worm, like a virus, spreads itself by replication. A worm does not require
third party programs to replicate and usually spread themselves through
networks.
3. What is a trojan horse?
A trojan horse does not replicate, but is substituted for another program by a
user. Generally they wreak havoc on the computer when they run.
4. What is an ANSI bomb?
An ANSI bomb does not replicate either like a trojan horse, and usually does
damage by remapping the keyboard using ANSI.SYS (hence it's name) to damage the
computer. An example would be, an ANSI bomb remaps the letter A to 'FORMAT C:
/U /AUTOTEST' or 'ECHO Y:FORMAT C:'.
B. Discussion of programming techniques
1. Run-time .COM infecting viruses
In this FAQ I will only cover .COM file infection because it is very easy for
the beginner. Run-time viruses are run before the program and search for new
.COM files to infect. If they are of great size it can slow down the execution
of a program and thus warn the user. In theory run-time viruses are extremely
easy, but in practice occasionally will produce problems...depending on how
you're doing it. Overwriters are simple and easy to spot, they overwrite the
program:
{ Program }
After infection:
{ Virus }m }
Non-overwriters, or appenders, are a lot better in that they don't destroy
programs that they infect:
{ Program }
After infection:
{ V rogram }{ irus P}
^----------------^
As you see the virus replaces the first few bytes with a jump to the virus
code. After the jump the virus replaces the original code in it's proper spot,
ONLY in memory. Then the virus does it's stuff and jumps back to the beginning
of the program and the program runs as nothing had happened. At least that's
what supposed to happen. Some programs may cause problems, but that is the
exception, not the rule.
2. Memory-resident .COM infecting viruses
Memory-resident viruses are much better than their run-time kin because:
- They don't cause sluggish delays caused by searching and writing before the
file is run.
- They have a wider reach.
- They can be smaller sometimes.
- They can hide their code and increases in files in a DIR listing.
Plus much more. More knowledge is required however to write one, but that is
obvious and I will attempt to write a guideline (no code) to go by when writing
one.
First thing it should do is check for a previous installation. This can be
accomplished by making up a value for AX and checking for it in your handler.
Next memory reservation is required, this involves freeing up some memory
because .COM files get everything when run, then allocating some memory for
your code. Changing the value in MCB:0001h to 0008h will make that memory
resident. You can also decrease total conventional memory and put your code up
there.
Next you must move your code to that segment, wherever it may be, in a
MCB-controlled segment or top of memory.
Next you must point your interrupts that you are hooking to your code in the
segment that you reserved.
Then restore control to the host program. The interrupt handler is pretty
straightforward, but for a better description, refer to another source.
3. Alternate infection methods
The appending method of infection is not alone. Many other methods are
available including putting the virus first:
{ Program }
After:
{ Virus }{ Program }
Another is to put the jump in another location, such as to search for one in
the program:
{ Program }
After:
{ ProgVam }{ irus R}
^-----------^
4. Other tips & tricks
Everyone wants their virus to be undetectable and efficient, so here are a few
tricks I picked up, along with references from where I got them.
mov di,0101h ; If mov di,0100h TBSCAN detects it
dec di
push di
ret
; (from VLAD)
mov cx,word ptr [bp+old3] ; Alternate way of detecting .EXE files
add cl,ch
cmp cl,167
je close
; (from VLAD)
lea si,[bp+old3] ; Combines move of original 3 bytes and the
mov di,0101h ; jump back to 0100h
dec di
movsw
movsb
push di
ret
5. FTP sites and IRC bots
Here are a few FTP sites that have virus-related stuff:
- ftp.netcom.com/pub/br/bradleym
- ftp.netcom.com/pub/sb/sbringer
- aql.gatech.com
- ftp.iia.org/pub/users/danishm
(Contact me for access to virus area)
Here are a few IRC bots that carry virus stuff:
- LamerBot
- Krauser
- MFM-II
- Bot_m
Most of the bots can be found on channel #virus
C. Virus removal and anti-virus software
1. The Correct way to use FDISK /MBR
We've had people suggesting FDISK /MBR to people with MBR infections but often
they don't mention the problems that can come about from using it. FDISK /MBR
rewrites the Master Boot Record to the basic minimum the machine needs to
operate. If you have DriveSpace, Stacker, or any other type of utility that
installs itself in the MBR, and you FDISK /MBR your disk, you could lose all of
your data because the proper programs are not loaded. If that is the case find
a good AV program such as F-PROT and use it instead. In fact it always is a
good idea to find a different alternative rather than FDISK /MBR.
2. Removing Boot/MBR viruses
To determine that this is a virus that doesn't encrypt the original Boot/MBR,
boot from a CLEAN floopy disk and try and access the hard disk. If you can't,
it's a stealth virus and refer to the next section on Removing Boot/MBR stealth
viruses. If you can and there is no programs like Stacker loaded in your
original Boot/MBR then it is ok to use FDISK /MBR, SYS C:, though it is
recommended that you use AV-software instead. If you do need get back the
original, either extract and disassemble the Boot/MBR, contact the author of
the virus, or if that frightens you, get some AV-software to remove it.
3. Removing Boot/MBR stealth viruses
Refer to section 2 to find out if the virus is stealth. This
method will NOT work with non-stealth viruses, and is not guarenteed to work.
Make a program to extract the Boot/MBR. Then reboot your machine from the
infected hard disk and run the program. It should return the original Boot/MBR.
After this copy it to a disk that is NOT a boot disk. Now you have a copy of
your original Boot/MBR and you now can replace the Boot/MBR of your hard disk
with the original Boot/MBR. I will let you go about the coding by yourself
though I will be glad to send you files to do it. If you are afraid of
permanently destroying your hard disk, get some AV-software to do it for you.
4. Removing file viruses
Before removing file viruses, boot from a clean disk. Now you may go through
with DEBUG and see if there is a jump at the beginning to almost the end of the
file it may be infected. Disassemble the point where it jumped to, and see if
the code resembles virus code. If it does, attempt to look for the original few
bytes. If that prospect frightens you or you don't want to bother searching
each file, get AV-software to check them for you.
5. Anti-virus software review
I have prepared a review of anti-virus software from what I have gathered in my
journeys throughout the internet.
Central Point Anti-Virus (CPAV) - Isn't very good, but at least is original,
MSAV rips off most of it.
Microsoft Anti-Virus (MSAV) - Is horrible, besides the fact it rips off CPAV.
Norton Anti-Virus (NAV) - Not very good, though it gets good ratings from
magazines and stuff because of it's user interface, all graphical.
McAfee ViruScan (SCAN) - An ok scanner, better than CPAV, MSAV, and NAV, but
not the best.
ThunderByte Anti-Virus (TBAV) - An awesome scanner, it's capabilites with
unknown viruses are astounding.
F-Protect (F-PROT) - I have never seen a better scanner, it combines
heuristic capability (detecting unknown viruses) with an excellent scanning and
removal facility.
D. On-going debate on different views on viruses
1. Debate on viruses made for the hell of it
-Nothing-
2. Debate on viruses as smart weapons
-Nothing-
3. Debate on "good" viruses
-Nothing-
***That's it for this FAQ***